Putting a Switch between the FiOS ONT and Router
Sometimes you need to be able to prove to your ISP that the issue is on their end. Sometimes you need to prove to yourself that the issue on your end. Sometimes there are hardware or software problems with your router that can be mitigated by putting a device between them (such as the one where pfSense won’t reestablish WAN link after it fails). The great thing about having a switch between the ONT and the router is that it make it incredibly easy to mirror the ONT’s port and put a sniffer such as WireShark on the line to listen to packets in the wild.
This can be an incredibly effective way of seeing just what data is passing between the ISP and your network. It’s also a great way to make sure your firewall or internal network is operating correctly. You may think your ISP is at fault only to learn your proxy server (think Squid) is acting up.
Option 1: Place a desktop switch between the ONT and the router
The obvious choice might be just to place a desktop switch between the ONT and the router. This option does work. This will give you the ability to keep the WAN link on your router up and all times, even if the ONT fails. For some hardware or software incompatibilities where you just don’t want the router to be aware the WAN link is down physically (such as the router is on UPS and the ONT is not. This is a great solution. However, it will not give you the ability to mirror a port for traffic sniffing. These desktop class switches are also made with cheaper components which might impact performance, and they are more prone to failure.
Option 2: Use a WAN VLAN between the ONT and the router
Option 2 is the better, more robust solution, but it does require a VLAN capable switch and a little understanding of more complex networking scenarios. This option creates a Virtual LAN on two ports on a managed switch. Plug the ONT into one port and the WAN interface of the router into the other port. This gives you the option to mirror either port to a third port on the switch allowing you to sniff traffic outside the firewall. If you have two routers in a CARP (failover) configuration you’d just add a 3rd port to this VLAN and connect both routers. This would allow for failover in the case of a router failure. Your ISP (Frontier FioS in my case) would not be aware that there is more than one router connected, because the devices share a virtual MAC address and the IP address that your ISP handed you via DHCP.
In this configuration it is critically important to make sure that there is no intra-VLAN traffic, as that could allow an attacker to bypass your firewall! These need to be untagged, completely segregated VLANs.
Additional Benefits of a Switch Between the ONT and the Router
There are few additional benefits of having a switch between the ONT and the router. Depending on how much you value your privacy and how far you want to take things:
- Your ISP will never know when your router goes off line, as the link will always be up (unless you reboot your switch).
- You can replace your router and the ONT will be completely unaware.
- Easier upgrades and future expansions of your network.
- If your router does not support SNMP, but your switch does, you can get traffic data on on your WAN usage to your Network Monitoring System (NMS).
- It’s easy to unplug your router and attach a laptop for testing if the case of WAN outage.
So there you have it. I currently run option 2 in my network using the WAN VLAN. This works extremely well and is the one I would recommend.
Some of you might be asking if you can plug more than one router into the ONT this way. Unless you’re using a CARP setup, or unless you have business account with multiple static IP addresses the answer is unfortunately no. Your ISP will not issue additional IP addresses to your network beyond the first one. All additional DHCP requests will be dropped.